Creating a keystore from an SSL key and cert
To store an SSL key for Jetty or other Java based webserver, you usually use keytool. You'll first need to convert the key to pkcs12 (we're calling the output file jetty.pkcs12) format like so (we're assuming your key is generated with openssl or something similar - also, we're in the same directory as the keys):
Convert mykey,key and mykey.crt to a pkcs12 format using openssl
( I highly recommend using a passphrase on the key)
openssl pkcs12 -inkey ./mykey.key -in ./mykey.crt -export -out ./jetty.pkcs12
Let's take that pkcs12 key and convert it into a Java keystore (we're calling the keystore mykeystore)
keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype pkcs12 -destkeystore mykeystore
Let's list the contents of this keystore:
keytool -list -storename mykeystore
Add an CA certificate to the default java CA cert keystore
Java keeps its own CA cert repo - which can be frustrating if you don't update java on your server frequently. To add a new CA cert (let's assume you just bought an SSL cert online and your cert CA's certificates were created recently)
1. Find cacerts for your installation - note that many commercial java programs like to install their own java. If you're looking at the default java location, try:
find /usr -name cacerts
1b. If you're trying to find the cacerts for an application you installed, figure out where java is being called from:
ps wwaux | grep java
(you'll likely see a path for java - i.e., /opt/java/bin/java or something similar)
Now, find the cacerts,
find /opt -name cacerts
2. Add the CA cert to your cacerts file:
keytool -import -trustcacerts -alias MyCAsName -file /path/to/ca-certificatec -keystore /path/to/keystore
To store an SSL key for Jetty or other Java based webserver, you usually use keytool. You'll first need to convert the key to pkcs12 (we're calling the output file jetty.pkcs12) format like so (we're assuming your key is generated with openssl or something similar - also, we're in the same directory as the keys):
Convert mykey,key and mykey.crt to a pkcs12 format using openssl
( I highly recommend using a passphrase on the key)
openssl pkcs12 -inkey ./mykey.key -in ./mykey.crt -export -out ./jetty.pkcs12
Let's take that pkcs12 key and convert it into a Java keystore (we're calling the keystore mykeystore)
keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype pkcs12 -destkeystore mykeystore
Let's list the contents of this keystore:
keytool -list -storename mykeystore
Add an CA certificate to the default java CA cert keystore
Java keeps its own CA cert repo - which can be frustrating if you don't update java on your server frequently. To add a new CA cert (let's assume you just bought an SSL cert online and your cert CA's certificates were created recently)
1. Find cacerts for your installation - note that many commercial java programs like to install their own java. If you're looking at the default java location, try:
find /usr -name cacerts
1b. If you're trying to find the cacerts for an application you installed, figure out where java is being called from:
ps wwaux | grep java
(you'll likely see a path for java - i.e., /opt/java/bin/java or something similar)
Now, find the cacerts,
find /opt -name cacerts
2. Add the CA cert to your cacerts file:
keytool -import -trustcacerts -alias MyCAsName -file /path/to/ca-certificatec -keystore /path/to/keystore
No comments:
Post a Comment